Lovense fixes security flaws, then threatens legal action over data leaks
▼ Summary
– Lovense fixed two security vulnerabilities that exposed users’ email addresses and allowed remote account takeovers, but its CEO is considering legal action over the disclosure.
– The company claims the bugs are “fully resolved” but did not clarify whether legal action targets media reports or the security researcher’s disclosure.
– A security researcher disclosed the bugs after Lovense allegedly proposed a 14-month fix instead of a faster one-month solution requiring user app updates.
– Lovense stated there is “no evidence” of compromised user data, though TechCrunch verified the email disclosure bug by testing it with the researcher.
– Organizations sometimes use legal threats to block disclosures of security flaws, as seen in recent cases involving ransomware attacks and court system vulnerabilities.
Lovense, a prominent manufacturer of smart adult toys, recently addressed critical security vulnerabilities that could have compromised user email addresses and allowed unauthorized account access. The company insists these issues have been completely resolved, but its CEO has hinted at potential legal action in response to how the flaws were publicly disclosed.
According to a statement from Lovense CEO Dan Liu, the company is exploring legal options regarding what it calls “inaccurate reporting” about the vulnerabilities. However, the statement did not specify whether these reports came from media outlets or independent security researchers. The ambiguity raises questions about whether Lovense intends to challenge factual disclosures or discourage further scrutiny.
The security flaws came to light after a researcher known as BobDaHacker revealed they had reported the issues to Lovense months earlier. The researcher went public with their findings after the company allegedly proposed an extended 14-month timeline to fully patch the vulnerabilities, rather than implementing a quicker solution that would have required user app updates within a month.
Lovense maintains that no user data was compromised or misused, though it remains unclear how the company verified this claim. Independent verification by TechCrunch confirmed that at least one vulnerability, exposing email addresses, was functional before being patched. When pressed for details on how Lovense determined no data breaches occurred, the company did not provide additional evidence or logs.
Legal threats following security disclosures are not uncommon, though they often draw criticism for attempting to suppress transparency. Earlier this year, a journalist faced legal pressure after reporting on a ransomware attack affecting a UK healthcare provider. Similarly, a Florida county official once threatened criminal charges against a researcher who exposed vulnerabilities in a court records system.
While Lovense has now rolled out fixes requiring app updates, the company’s response highlights ongoing tensions between manufacturers and security experts over responsible disclosure practices. The situation underscores the importance of timely vulnerability remediation, and the risks of prioritizing corporate reputation over user security.
(Source: TechCrunch)
